Design And Implementation Of Behavior Forensics And Analysis System For Malware

At present,most malware forensic analyse methods only depend on memory or disk,so they can't detect the traces of malware completely and accurately.Additionally,most methods only get a series of independent behaviors,so it's hard to use these methods to conduct a holistic analysis of malware behaviors.In order to address the problems above,the method of malware forensic analyse which combinds memory forensic and disk forensic is proposed.The malware forensic analyse method is divided into four modules: a digital evidence acquisition module,a memory forensic analyse module,a disk forensic analyse module and a synthetic correlation module.The digital evidence acquisition module is responsible for obtaining the memory data,disk files and internal time of the virtual machine before,during and after the malwares run.To deal with TOC-TOU attack,a multi-granularity forensics trigger mechanism is proposed.The memory forensic analysis module is responsible for analyzing the acquired virtual machine memory data,extracting the behavior generated by malware from the kernel objects and performing suspicious identification.The disk forensic analysis module is responsible for analyzing the acquired virtual machine disk files,extracting the file operation behaviors generated by malwares from the NTFS file system and performing suspicious identification.The synthetic correlation module is responsible for the comprehensive association analysis of all behaviors extracted from memory and disk,and the final reconstruction of the malwares attack process timeline and visualization of the attack process.According to the above method,the prototype system was implemented and tested with 50 malware samples.The experimental results show that compared with Virus Total,the prototype system can detect most malicious behaviors,and has better effect in GUI behavior detection and file operation behavior detection.In addition,the prototype system can reconstruct the entire malware attack process and visualize the attack process according to the timeline,so it can better help security analysts grasp the entire behavior process of malware from the whole.